Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Low
-
Resolution: Duplicate
-
Affects Version/s: 2.0
-
Fix Version/s: 2.2 Iteration 2, 2.2
-
Component/s: Authentication / Security
-
Labels:
-
Environment:
Crowd 2.0.0 (Build:#406 - Jul 29, 2009)
Sun Java 1.6.0_16, JVM 14.2-b01
-
Bug Fix Policy:
Description
Like FE-899
Set-up is something like this:
- SSO domain is .example.com
- Crowd-authenticated sites are {wiki,bugs,crowd}.example.com
- Additionally, webdav.example.com allows users to easily make test websites
Even though webdav.example.com is configured to only allow static content, JavaScript can still steal cookies (tested with <script>document.write(document.cookie)</script>).
Admittedly, the "correct" fix is to stick "trusted" content under a different subdomain (.secure.example.com) but that gets messy. Additionally, it's perfectly feasible to make webdav.example.com Crowd-authenticated but not wish for embedded JS to read the same cookies (this can be fixed by making webdav.example.com serve application/octet-stream, Content-Disposition: attachment and moving the "normal" server to webdav.example.net, but that's even messier).
Attachments
Issue Links
- is duplicated by
-
CWD-1874 Make Crowd token cookies httponly
- Closed
